Never Use SMS For 2FA. Here’s Why
To avoid being hacked online, people choose Two-factor authentication (2FA). 2FA brings an extra layer of security that passwords alone can’t provide. Requiring an extra step for a user to prove their identity reduces the chance of a bad actor gaining access to data.
One of the most common methods of 2FA is SMS text messages. The problem is that SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. Despite this security flaw and better options for authentication, SMS-based 2FA is still used by several institutions.
SIM swapping and SS7 spoofing are real and present dangers. They make cellphones into weak-as-kitten second factors and useless for password resets.
The most widely reported method for intercepting phone-based authentication passcodes, according to the researchers, is a SIM swap attack. They explain that by making an unauthorized change to the victim’s mobile carrier account, the attacker diverts service, including calls and messages, to a new SIM card and device that they control.
What Is Sim Swapping?
SIM swapping is a malicious technique where threat actors target mobile carriers in an attempt to take over users’ accounts. The end goal of the attack allows the threat actor to thwart SMS-based two-factor authentication and what it is designed to protect.
A study conducted by the Department of Computer Science and Centre for Information Technology Policy at Princeton University confirms the risks associated with using SMS as a 2FA. The study, An Empirical Study of Wireless Carrier Authentication for SIM Swaps, notes that, although this means of authentication is ubiquitous as a second factor or account recovery method, it does expose customers to “severe risks”.
Using two-factor authentication, or 2FA, is the right thing to do. But you put yourself at risk getting codes over text.
What should I Use Instead?
An authentication app such as Google Authenticator, Microsoft Authenticator, or Authy. It has the advantage of not needing to rely on your carrier; codes stay with the app even if a hacker manages to move your number to a new phone. And codes expire quickly, usually after 30 seconds or so. In addition to being more secure than SMS, an authentication app is faster; you only need to tap a button to verify your identity instead of manually entering a six-digit code.